Information Security Framework
Part VI of the Mentora Tanzania Legal Framework — ISO 27001 Alignment
Effective Date: 1 January 2026 · © 2026 Mentora Tanzania — A solution by Evolucion Technologies Company Limited
43. ISMS Scope and Objectives
Mentora Tanzania maintains an Information Security Management System (ISMS) aligned with the ISO/IEC 27001:2022 international standard. The ISMS applies to all information assets, personnel, processes, and technology infrastructure involved in the delivery of the Mentora platform and services.
The objectives of the ISMS are to:
- Protect the confidentiality, integrity, and availability of all information assets
- Ensure compliance with legal, regulatory, and contractual obligations
- Manage information security risks systematically and proportionately
- Foster a culture of security awareness across the organization
- Support continuous improvement in information security practices
44. Security Control Domains
The Company implements controls across the following ISO 27001 Annex A domains:
A.5 — Organizational Controls
Information security policies, roles and responsibilities, segregation of duties, contact with authorities, threat intelligence, and information security in project management.
A.6 — People Controls
Screening, terms and conditions of employment, information security awareness, training and education, disciplinary processes, and responsibilities after termination.
A.7 — Physical Controls
Physical security perimeter, physical entry controls, securing offices, protection against physical and environmental threats, equipment security, and secure disposal.
A.8 — Technological Controls
User endpoint devices, privileged access rights, information access restriction, secure authentication, capacity management, malware protection, vulnerability management, configuration management, information deletion, data masking, data leakage prevention, monitoring, web filtering, and secure coding.
45. Risk Treatment Methodology
The Company applies the following risk treatment approach:
- Risk Identification: Systematic identification of threats and vulnerabilities to information assets through threat modeling, vulnerability scanning, and business impact analysis.
- Risk Analysis: Assessment of each risk based on likelihood and potential impact, considering existing controls.
- Risk Evaluation: Comparison of risk levels against the Company's risk appetite and tolerance thresholds.
- Risk Treatment: Selection and implementation of appropriate treatment options:
- Mitigate: Implement controls to reduce risk to acceptable levels
- Transfer: Transfer risk through insurance or contractual arrangements
- Avoid: Eliminate the activity that gives rise to the risk
- Accept: Formally accept residual risk where it falls within tolerance
- Monitoring and Review: Ongoing monitoring of risks and effectiveness of controls, with formal reviews at least annually.
46. Access Control Policy
- Access to all systems is granted on a least-privilege, need-to-know basis
- Role-based access control (RBAC) is implemented across all platform components
- Multi-factor authentication (MFA) is required for administrative access
- Access rights are reviewed quarterly and upon any change in personnel role
- Privileged access is logged, monitored, and subject to enhanced clearance
- Access is revoked within 24 hours of personnel departure or role change
47. Cryptographic Controls
- All data in transit is encrypted using TLS 1.2 or higher
- Data at rest is encrypted using AES-256 encryption
- Cryptographic keys are managed through secure key management infrastructure
- Key rotation is performed in accordance with industry best practices
- Database backups are encrypted and stored in geographically redundant locations
48. Incident Management
The Company maintains a comprehensive incident management process:
- All security events are logged and monitored in real-time
- Security incidents are classified by severity and escalated accordingly
- Incident response team is available 24/7 for critical incidents
- Root cause analysis is conducted for all P1 and P2 incidents
- Lessons learned are documented and incorporated into security controls
- Incident reports are shared with affected Institutions as appropriate
49. Business Continuity and Disaster Recovery
- Business continuity plans are maintained and tested at least annually
- Recovery Point Objective (RPO): Maximum 1 hour of data loss
- Recovery Time Objective (RTO): Maximum 4 hours for core services
- Automated backups are performed daily with incremental backups every 6 hours
- Disaster recovery drills are conducted semi-annually
- Results of continuity tests are documented and reviewed by senior management
50. Certification Roadmap
The Company is committed to achieving and maintaining formal ISO 27001 certification:
| Phase | Activity | Target Timeline |
|---|---|---|
| Phase 1 | Gap analysis and ISMS framework establishment | Q1 2026 |
| Phase 2 | Control implementation and documentation | Q2 2026 |
| Phase 3 | Internal audit and management review | Q3 2026 |
| Phase 4 | External certification audit | Q4 2026 |
51. Continuous Improvement
The Company is committed to continual improvement of its ISMS through:
- Regular internal audits conducted at least annually
- Management reviews with the Board of Directors
- Corrective action tracking for identified non-conformities
- Incorporation of lessons learned from security incidents
- Monitoring of emerging threats and evolving best practices
- Employee security awareness programs updated annually
Contact
For security-related inquiries, contact: mentoratanzania@gmail.com.